PureBasic Forums - English

usage: Proof

Doesn't compile; I get a syntax error for this line: CMP eax,#True

[Edit] Worked it out, had to change that line by adding "!" to the front, and change "#True" to "1". Now it works!

Question: doesn't the mere fact that the test shows up in OllyDgb, mean that someone with OllyDgb can simply bypass it?

it is one of the addition yea ppl can bypass but instead of Messagebox i can directly end the program or dont execute anything which could trigger in Olly

What I mean is, "Is_Debugger_Present" and such is visible in OllyDbg BEFORE OllyDbg even runs the exe... so they can just bypass it from there, in stepping mode. No? I'm not an ASM expert but it doesn't look very safe to me.

It's widely known by the RE community that inlining functions add another level of defense (obscurity). Especially inlining IsDebuggerPresent is a rather old trick. Furthermore it's still as easy to bypass as all the other lines of defense. Trial-and-error and tracing back to the instruction that caused it is an appropriate way for this. The hop from the TEB to the PEB and the specific flag is also quite easy to detect.
Don't get me wrong I appreciate your contribution but I just want to make the readers aware of that this is not THE solution they were waiting for regarding anti-cracking or so.

Cheers,
Didel.

This is bypassed just by deleting the debugged flag, which is standard for any debugger hiding plugin for OllyDbg. So it does not add anything to the protection.